In re Application of: Ariel PELED et al 
Serial No.: 10/003,269 
Filed: December 6, 2001 
Office Action Mailing Date: March 13, 2009 

In the Claims: 

1. (Currently Amended) A ^The system of claim 142 for n e twork cont e nt 
monitoring comprising at least on e processor and an e lectronically readabl e m e dium , 
further configured with such that t 

a transport data monitor, conncctabl e to a point in said n e twork, for 
monitoring data b e ing transport e d past said point, 

a description extractor, associated with said transport data monitor, for 
e xtracting d e scription s of said data being transported, 

a database of — pr e obtainod — d e scriptions of — known content whoso 
mov e m e nts it is desir e d to monitor, 

a comparator, — configured to — d e t e rmin e — wh e th e r said extracted 
d e scription corresponds to any of said at least on e preobtainod descriptions, said 
determination further including includes a confidence level, said confidence level 
being incremented each time a correspondence is found, and to decide, using said 
determination including said confidence level, whether said data being transported 
comprises any of said content whose movements it is desired to monitor, the system 
being configured such as to take no action for a low level of confidence, to allow 
transport with a reduced bandwidth for a medium level of confidence and to 
completely stop said transport for a high level of confidence . 

2. (Currently Amended) A system according to claim s 142 , wherein said 
description extractor is operable to extract a pattern identifiably descriptive of said 
data being transported. 

3. (Currently Amended) A system according to claim^-j42, wherein said 
description extractor is operable to extract a signature of said data being transported. 

4. (Currently Amended) A system according to claim- 4 142 . wherein said 
description extractor is operable to extract characteristics of said data being 
transported. 
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5. (Currently Amended) A system according to claim- 4 142 . wherein said 
description extractor is operable to extract encapsulated meta information of said data 
being transported. 

6. (Currently Amended) A system according to claim 142 4 -. wherein said 
description extractor is operable to extract multi-level descriptions of said data being 
transported. 

7. (Original) A system according to claim 6, wherein said multi-level 
description comprises of a pattern identifiably descriptive of said data being 
transported. 

8. (Original) A system according to claim 6, wherein said multi-level 
description comprises a signature of said data being transported. 

9. (Original) A system according to claim 6, wherein said multi-level 
description comprises characteristics of said data being transported. 

10. (Original) A system according to claim 6, wherein said multi-level 
description comprises encapsulated meta-information of said data being transported. 

1 1 . (Currently Amended) A system according to claim 4 - 142 , wherein said 
description extractor is a signature extractor, for extracting a derivation of said data, 
said derivation being a signature indicative of content of said data being transported, 
and wherein said at least one preobtained description is a preobtained signature. 

12. (Currently Amended) A system according to claim 4 - 142 , said network 
being a packet-switched network and said data being transported comprising passing 
packets. 



13. (Currently Amended) A system according to claim 4 - 142 , said network 
being a packet-switched network, said data being transported comprising passing 
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packets and said transport data monitor being operable to monitor header content of 
said passing packets. 

14. (Currently Amended) A system according to claim 1 142 , said network 
being a packet-switched network, said data being transported comprising passing 
packets, and said transport data extractor being operable to monitor header content 
and data content of said passing packets. 

15. (Currently Amended) A system according to claim 4 - 142 , wherein said 
transport data monitor is a software agent, operable to place itself on a predetermined 
node of said network. 

16. (Currently Amended) A system according to claim 4 - 142 , comprising a 
plurality of transport data monitors distributed over a plurality of points on said 
network. 

17. (Currently Amended) A system according to claim-^ - 142 , said 
transport data monitor further comprising a multimedia filter for determining whether 
passing content comprises multimedia data and restricting said signature extraction to 
said multimedia data. 

18. (Currently Amended) A system according to claim 4 - 142 , said data 
being transported comprising a plurality of protocol layers, the system further 
comprising a layer analyzer connected between said transport data monitor and said 
signature extractor, said layer analyzer comprising analyzer modules for at least two 
of said layers. 

19. (Original) A system according to claim 18, said layer analyzer 
comprising separate analyzer modules for respective layers. 



5 

In re Application of: Ariel PELED et al Examiner: Christopher J. BROWN 

Serial No.: 10/003,269 Group Art Unit: 2434 

Filed: December 6, 2001 Attorney Docket: 01/22067 

Office Action Mailing Date: March 13, 2009 

20. (Original) A system according to claim 18, further comprising a traffic 
associator, connected to said analyzer modules, for using output from said analyzer 
modules to associate transport data from different sources as a single communication. 



21. (Original) A system according to claim 20, wherein said sources are at 
least one of a group comprising: data packets, communication channels, data 
monitors, and pre correlated data. 



22. (Original) A system according to claim 18, comprising a traffic state 
associator connected to receive output from said layer analyzer modules, and to 
associate together output, of different layer analyzer modules, which belongs to a 
single communication. 



23. (Original) A system according to claim 18, wherein at least one of said 
analyzer modules comprises a multimedia filter for determining whether passing 
content comprises multimedia data and restricting said signature extraction to said 
multimedia data. 



24. (Original) A system according to claim 18, wherein at least one of said 
analyzer modules comprises a compression detector for determining whether said 
extracted transport data is compressed. 

25. (Original) A system according to claim 24, further comprising a 
decompressor, associated with said compression detector, for decompressing said data 
if it is determined that said data is compressed. 

26. (Original) A system according to claim 24, further comprising a 
description extractor for extracting a description directly from said compressed data. 

27. (Original) A system according to claim 18, wherein at least one of said 
analyzer modules comprises an encryption detector for determining whether said 
transport data is encrypted. 
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28. (Original) A system according to claim 27, wherein said encryption 
detector comprises an entropy measurement unit for measuring entropy of said 
monitored transport data. 

29. (Original) A system according to claim 28, wherein said encryption 
detector is set to recognize a high entropy as an indication that encrypted data is 
present. 

30. (Original) A system according to claim 29, wherein said encryption 
detector is set to use a height of said measured entropy as a confidence level of said 
encrypted data indication. 

3 1 . (Original) A system according to claim 1 8, further comprising a format 
detector for determining a format of said monitored transport data. 

32. (Original) A system according to claim 31, further comprising a media 
player, associated with said format detector, for rendering and playing said monitored 
transport data as media according to said detected format, thereby to place said 
monitored transport data in condition for extraction of a signature which is 
independent of a transportation format. 

33. (Original) A system according to claim 31, further comprising a parser, 
associated with said format detector, for parsing said monitored transport media, 
thereby to place said monitored transport data in condition for extraction of a 
signature which is independent of a transportation format. 

34. (Currently Amended) A system according to claim^- 142 , comprising a 
payload extractor located between said transport monitor and said signature extractor 
for extracting content carrying data for signature extraction. 
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35. (Currently Amended) A system according to claim-4 142 , wherein said 
signature extractor comprises a binary function for applying to said monitored 
transport data. 

36. (Currently Amended) A system according to claim- 1 142 , wherein said 
network is a packet network, and wherein a buffer is associated with said signature 
extractor to enable said signature extractor to extract a signature from a buffered batch 
of packets. 

37. (Original) A system according to claim 35, wherein said binary 
function comprises at least one hash function. 

38. (Original) A system according to claim 37, wherein said binary 
function comprises a first, fast, hash function to identify an offset in said monitored 
transport data and a second, full, hash function for application to said monitored 
transport data using said offset. \ 

39. (Original) A system according to claim 11, wherein said signature 
extractor comprises an audio signature extractor for extracting a signature from an 
audio part of said monitored data being transported. 

40. (Original) A system according to claim 11, wherein said signature 
extractor comprises a video signature extractor for extracting a signature from a video 
part of said monitored data being transported. 

41. (Original) A system according to claim 11, said signature extractor 
comprising a pre-processor for pre-processing said monitored data being transported 
to improve signature extraction. 

42. (Original) A system according to claim 41, said preprocessor operable 
to carry out at least one of a group of pre-processing operations comprising: removing 
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erroneous data, removing redundancy, and canonizing properties of said monitored 
data being transported. 

43. (Original) A system according to claim 11, wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and an 
audio signature extractor for extracting an audio signature in the event said initial 
signature extraction fails to yield an identification. 

44. (Original) A system according to claim 11, wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and a text 
signature extractor for extracting a text signature in the event said initial signature 
extraction fails to yield an identification. 

45. (Original) A system according to claim 11, wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and a code 
signature extractor for extracting a code signature in the event said initial signature 
extraction fails to yield an identification. 

46. (Original) A system according to claim 11, wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and a data 
content signature extractor for extracting a data content signature in the event said 
initial signature extraction fails to yield an identification. 

47. (Original) A system according to claim 11, wherein said signature 
extractor is operable to use a plurality of signature extraction approaches. 

48. (Original) A system according to claim 47, further comprising a 
combiner for producing a combination of extracted signatures of each of said 
approaches. 
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49. (Original) A system according to claim 47, wherein said comparator is 
operable to compare using signatures of each of said approaches and to use as a 
comparison output a highest result of each of said approaches. 

50. (Original) A system according to claim 11, wherein said signal 
extractor comprises a binary signal extractor for initial signature extraction and a 
video signature extractor for extracting a video signature in the event said initial 
signature extraction fails to yield an identification. 

51. (Original) A system according to claim 11, wherein there is a plurality 
of preobtained signatures and wherein said comparator is operable to compare said 
extracted signature with each one of said preobtained signatures, thereby to determine 
whether said monitored transport data belongs to a content source which is the same 
as any of said signatures. 

52. (Original) A system according to claim 51, said comparator being 
operable to obtain a cumulated number of matches of said extracted signature. 

53. (Original) A system according to claim 51, wherein said comparator is 
operable to calculate a likelihood of compatibility with each of said preobtained 
signatures and to output a highest one of said probabilities to an unauthorized content 
presence determinator connected subsequently to said comparator. 

54. (Original) A system according to claim 52, said comparator being 
operable to calculate a likelihood of compatibility with each of said preobtained 
signatures and to output an accumulated total of matches which exceed a threshold 
probability level. 

55. (Original) A system according to claim 52, said comparator being 
operable to calculate the likelihood of compatibility with each of said preobtained 
signatures and to output an accumulated likelihood of matches which exceed a 
threshold probability level. 
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56. (Original) A system according to claim 51, comprising a sequential 
decision unit associated with said comparator, being operable to use a sequential 
decision test to update a likelihood of the presence of given content, based on at least 
one of the following: successive matches made by said comparator, context related 
parameters, other content related parameters and outside parameters. 

57. (Original) A system according to claim 53, wherein said unauthorized 
content presence determinator is operable to use the output of said comparator to 
determine whether unauthorized content is present in said transport and to output a 
positive decision of said presence to a subsequently connected policy determinator. 

58. (Original) A system according to claim 51, wherein an unauthorized 
content presence determinator is connected subsequently to said comparator and is 
operable to use an output of said comparator to determine whether unauthorized 
content is present in said data being transported, a positive decision of said presence 
being output to a subsequently connected policy determinator. 

59. (Original) A system according to claim 58, wherein said policy 
determinator comprises a rule-based decision making unit for producing an 
enforcement decision based on output of at least said unauthorized content presence 
determinator. 

60. (Currently Amended) A system according to claim-! - 142 , wherein said 
policy determinator is operable to use said rule-based decision making unit to select 
between a set of outputs including at least some of: taking no action, performing 
auditing, outputting a transcript of said content, reducing bandwidth assigned to said 
transport, using an active bitstream interference technique, stopping said transport, 
preventing printing, preventing photocopying, reducing quality of the content, 
removing sensitive parts, altering the content, adding a message to the said content, 
and preventing of saving on a portable medium, 
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61. (Original) A system according to claim 60, wherein said rule-based 
decision making unit is operable to use a likelihood level of a signature identification 
as an input in order to make said selection. 

62. (Original) A system according to claim 61, further comprising a 
bandwidth management unit connected to said policy determinator for managing 
network bandwidth assignment in accordance with output decisions of said policy 
determinator. 

63. (Currently Amended) A system according to claim 4- 142 , further 
comprising an audit unit for preparing and storing audit reports of transportation of 
data identified as corresponding to content it is desired to monitor. 

64. (Currently Amended) A system according to claim 4 - 142 , comprising a 
transcript output unit for producing transcripts of content identified by said 
comparison. 

65. (Original) A system according to claim 27, further comprising a policy 
determinator connected to receive outcomes of said encryption determinator and to 
apply rule-based decision making to select between a set of outputs including at least 
some of: taking no action, performing auditing, outputting a transcript of said content, 
reducing bandwidth assigned to said transport, using an active bitstream interference 
technique, and stopping said transport. 

66. (Original) A system according to claim 65, wherein said rule-based 
decision-making comprises rules based on confidence levels of said outcomes. 



67. (Original) A system according to claim 65, wherein said policy 
determinator is operable to use an input of an amount of encrypted transport from a 
given user as a factor in said rule based decision making. 
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68. (Original) A system according to claim 30, further comprising a policy 
determinator connected to receive positive outcomes of said encryption determinator 
and to apply rule-based decision making to select between a set of outputs including 
at least some of: taking no action, performing auditing, outputting a transcript of said 
content, reducing bandwidth assigned to said transport, using an active bitstream 
interference technique, and stopping said transport, said policy determinator operable 
to use: 

an input of an amount of encrypted transport from a given user, and 
said confidence level, as factors in said rule based decision making. 

69. (Currently Amended) A -The system of claim 142, for network content 
control of a local or organization n e twork, comprising: 

a transport data monitor, conncctable to a point in said network, for 
monitoring data being transported past said point, 

wherein said der-ivatiendescription extractor comprises a signature 
extractor, associated with said transport data monitor, for extracting a derivation of 
payload of said monitored data, said derivation being indicative of content of said 
data, 

a database of preobtained signatures of known content whose 
movements it is desired to monitor, said content being internally generated in the 
network in advance of said extracting, said preobtained signatures being obtained in 
advance of said extracting said derivation of said payload, 

a comparator for comparing said derivation with said preobtained 
signatures, and to d e t e rmin e wh e ther said monitored data compris e s any of said 
content whose movements it is d e sired to control, said determining further including a 
level of confidence, said confidence level being incremented each time a 
correspondence with one of said preobtained signatures is found, 

a decision-making unit for producing an enforcement decision, using 
the output of said comparator including said confidence level, and 

a bandwidth management unit connected to said decision-making unit 
for managing network bandwidth assignment in accordance with output decisions of 
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said decision making unit, thereby to control content distribution over said network by 
assigning bandwidth in accordance with said confidence level 

70. (Original) A system according to claim 69, wherein said decision- 
making unit is a rule-based decision-making unit. 

71. (Original) A system according to claim 70, wherein said transport data 
monitor is a software agent, operable to place itself on a predetermined node of said 
network. 

72. (Original) A system according to claim 70, comprising a plurality of 
transport data monitors distributed over a plurality of points on said network. 

73. (Original) A system according to claim 70, said transport data monitor 
further comprising a multimedia filter for determining whether passing content 
comprises multimedia data and restricting said signature extraction to said multimedia 
data. — 

74. (Original) A system according to claim 70, said transport data 
comprising a plurality of protocol layers, the system further comprising a layer 
analyzer connected between said transport data monitor and said signature extractor, 
said layer analyzer comprising analyzer modules for at least two of said layers. 

75. (Original) A system according to claim 74, comprising a traffic state 
associator connected to receive output from said layer analyzer modules, and to 
associate together output of different layer analyzer modules which belongs to a 
single communication. 

76. (Original) A system according to claim 74, one of said analyzer 
modules comprising a multimedia filter for determining whether passing content 
comprises multimedia data and restricting said data extraction to said multimedia 
data. 



Examiner: Christopher J. BROWN 
Group Art Unit: 2434 
Attorney Docket: 01/22067 

77. (Original) A system according to claim 74, one of said analyzer 
modules comprising a compression detector for determining whether said monitored 
transport data is compressed. 

78. (Original) A system according to claim 77, further comprising a 
decompressor, associated with said compression detector, for decompressing said data 
if it is determined that said data is compressed. 

79. (Original) A system according to claim 74, one of said analyzer 
modules comprising an encryption detector for determining whether said monitored 
transport data is encrypted. 

80. (Original) A system according to claim 79, wherein said encryption 
detector comprises an entropy measurement unit for measuring entropy of said 
monitored transport data. 

81. (Original) A system according to claim 80, said encryption detector 
being set to recognize a high entropy as an indication that encrypted data is present. 

82. (Original) A system according to claim 81, said encryption detector 
being set to use a height of said measured entropy as a confidence level of said 
encrypted data indication. 

83. (Original) A system according to claim 74, further comprising a format 
detector for determining a format of said monitored transport data. 

84. (Original) A system according to claim 83, further comprising a media 
player, associated with said format detector, for rendering and playing said monitored 
transport data as media according to said detected format, thereby to place said 
extracted transport data in condition for extraction of a signature which is independent 
of a transportation format. 
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85. (Original) A system according to claim 83, further comprising a parser, 
associated with said format detector, for parsing said monitored transport media, 
thereby to place said extracted transport data in condition for extraction of a signature 
which is independent of a transportation format. 

86. (Original) A system according to claim 70, wherein said signature 
extractor comprises a binary function for applying to said extracted transport data. 

87. (Original) A system according to claim 86, wherein said binary 
function comprises at least one hash function. 

88. (Original) A system according to claim 87, wherein said binary 
function comprises a first, fast, hash function to identify an offset in said extracted 
transport data and a second, full, hash function for application to said extracted 
transport data using said offset. 

89. (Original) A system according to claim 70, wherein said signature 
extractor comprises an audio signature extractor for extracting a signature from an 
audio part of said extracted transport data. 

90. (Original) A system according to claim 70, wherein said signature 
extractor comprises a video signature extractor for extracting a signature from a video 
part of said extracted transport data. 

91. (Original) A system according to claim 70, wherein said comparator is 
operable to compare said extracted signature with each one of said preobtained 
signatures, thereby to determine whether said monitored transport data belongs to a 
content source which is the same as any of said signatures. 



92. (Original) A system according to claim 91, wherein said comparator is 
operable to calculate a likelihood of compatibility with each of said preobtained 
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signatures and to output a highest one of said probabilities to an unauthorized content 
presence determinator connected subsequently to said comparator. 

93. (Original) A system according to claim 92, wherein said unauthorized 
content presence determinator is operable to use the output of said comparator to 
determine whether unauthorized content is present in said transport and to output a 
positive decision of said presence to a subsequently connected policy determinator. 

94. (Original) A system according to claim 91, wherein an unauthorized 
content presence determinator is connected subsequently to said comparator and is 
operable to use an output of said comparator to determine whether unauthorized 
content is present in said transport, a positive decision of said presence being output to 
a subsequently connected policy determinator. 

95. (Original) A system according to claim 94, wherein said policy 
determinator comprises said rule-based decision making unit for producing an 
enforcement decision based on output of at least said unauthorized content presence 
determinator. 

96. (Original) A system according to claim 70, wherein said policy 
determinator is operable to use said rule-based decision making unit to select between 
a set of outputs including at least some of: taking no action, performing auditing, 
outputting a transcript of said content, reducing bandwidth assigned to said transport, 
using an active bitstream interference technique, stopping said transport, not allowing 
printing of said content, not allowing photocopying of said content and not allow 
saving of said content on portable media. 

97. (Original) A system according to claim 96, said rule-based decision 
making unit is operable to use a likelihood of a signature identification as an input in 
order to make said selection. 



17 

In re Application of: Ariel PELED et al Examiner: Christopher J. BROWN 

Serial No.: 10/003,269 Group Art Unit: 2434 

Filed: December 6, 2001 Attorney Docket: 01/22067 

Office Action Mailing Date: March 13, 2009 

98. (Original) A system according to claim 70, further comprising an audit 
unit for preparing and storing audit reports of transportation of data identified as 
corresponding to content it is desired to monitor. 



99. (Original) A system according to claim 79, further comprising a policy 
determinator connected to receive positive outcomes of said encryption determinator 
and to apply rule-based decision of said rule-based decision making unit to select 
between a set of outputs including at least some of: taking no action, performing 
auditing, outputting a transcript of said content, reducing bandwidth assigned to said 
transport, using an active bitstream interference technique, stopping said transport, 
reducing quality of the content, removing sensitive parts, altering the content, adding 
a message to said content, not allowing printing of said content, not allowing 
photocopying of said content and not allow saving of said content on portable media. 

100. (Original) A system according to claim 99, said policy determinator 
being operable to use an input of an amount of encrypted transport from a given user 
as a factor in said rule based decision making. 

101. (Original) A system according to claim 82, further comprising a policy 
determinator connected to receive positive outcomes of said encryption determinator 
and to apply rule-based decision making of said rule-based decision-making unit to 
select between a set of outputs including at least some of: taking no action, 
performing auditing, outputting a transcript of said content, reducing bandwidth 
assigned to said transport, using an active bitstream interference technique, stopping 
said transport, reducing quality of the content, removing sensitive parts, altering the 
content, adding a message to said content, not allowing printing of said content, not 
allowing photocopying of said content, and not allowing saving of said content on 
portable media. 

102. (Original) A system according to claim 101, said policy determinator 
being operable to use: 

an input of an amount of encrypted transport from a given user, and 
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said confidence level, 

as factors in said rule based decision making. 

103. (Original) A system according to claim 69, comprised within a 
firewall. 

104. (Original) A system according to claim 103, said transport data 
monitor being operable to inspect incoming and outgoing data transport crossing said 
firewall. 

105. (Original) A system according to claim 69, operable to define a 
restricted network zone within said network by inspecting data transport outgoing 
from said zone. 



106. (Cancelled) 

107. (Original) A system according to claim 69, comprising certification 
recognition functionality to recognize data sources as being trustworthy and to allow 
data transport originating from said trustworthy data sources to pass through with 
monitoring modified on the basis of said data source recognition. 

108. (Original) A system according to claim 69, comprising certification 
recognition functionality to recognize data sources as being trustworthy and to allow 
data transport originating from said trustworthy data sources to pass through with said 
decision making being modified on the basis of said data source recognition. 

109-112. (Cancelled) 

113. (Previously Presented) A system according to claim 1, wherein said 
transport data monitor comprises functionality to remove steganograms, said 
steganograms for removal being steganograms comprising information hidden within 
said data being monitored by said transport data monitor. 
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114. (Previously Presented) A system according to claim 113, wherein said 
functionality to remove steganograms is independent of at least one of a group 
comprising: 

a content of said steganogram hidden within said data being monitored, 
a content of said information hidden within said data being monitored, 

and 

of a method of hiding of said steganogram within said data being 

monitored. 



115. (Previously Presented) A system according to claim 69, wherein said 
functionality to remove steganograms comprises at least one of the following: 

adding noise to said data being monitored by said transport data 

monitor; 

distorting said data being monitored by said transport data monitor; and 
embedding at least one steganogram within said data being monitored 
by said transport data monitor. 

116. (Previously Presented) A system according to claim 69, wherein said 
transport data monitor comprises functionality to remove steganograms, said 
steganograms for removal being steganograms comprising information hidden within 
said data being monitored by said transport data monitor. 

117. (Previously Presented) A system according to claim 1 16, wherein said 
functionality to remove steganograms is independent of at least one of a group 
comprising: 

a content of said steganogram hidden within said data being monitored, 
a content of said information hidden within said data being monitored, 

and 

of a method of hiding of said steganogram within said data being 

monitored. 
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118. (Previously Presented) A system according to claim 1 16, wherein said 
functionality to remove steganograms comprises at least one of the following: 

adding noise to said data being monitored by said transport data 

monitor; 

distorting said data being monitored by said transport data monitor; and 
embedding at least one steganogram within said data being monitored 
by said transport data monitor. 

119-124. (Cancelled) 

125. (Currently Amended) A -The system of claim 142. for network cont e nt 
monitoring in a local or organizational n e twork, comprising at least one processor and 
an e l e ctronically readabl e m e dium, configur e d with: 

a transport data monitor, connectablo to a point in a n e twork, for 
monitoring data being transported past said point, 

a d e scription e xtractor, as s ociated with s aid transport data monitor, for 
e xtracting d e scriptions of said data being transported, 

a database of at least one proobtainod d e scription of cont e nt stor e d in a 
cont e nt database associated with th e n e twork and the availability of which content 
around said n e twork it is desir e d to monitor, wherein said preobtained description 
being obtained from said content stored in said content database in advance of said 
extracting descriptions, and 

a comparator, — configur e d to determin e wh e th e r said e xtracted 
d e scription corresponds to any of said at l e ast on e preobtained descriptions, said 
determining including assigning a confidence level, said confidence level being 
incremented each time a correspondence with one of said preobtained descriptions is 
found, 

said comparator further being configured to decide using said 
confidence level, whether said data being transported comprises any of said content 
whose availability around said network it is desired to monitor according to said 
determining, thereby to manage data transport according to said determining, said 
managing comprising taking no action for a low level of confidence, allowing 
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transport with a reduced bandwidth for a medium level of confidence and completely 
stopping said transport for a high level of confidence. 



Examiner: Christopher J. BROWN 
Group Art Unit: 2434 
Attorney Docket: 01/22067 



126. (Currently Amended) A -The system of claim 142, for n e twork cont e nt 
monitoring in a local or organizational n e twork, comprising at least on e proc e s s or and 
an e l e ctronically r e adable m e dium, configur e d with: 

a transport data monitor, conn e ctabl e to a point in said network, for 
monitoring data b e ing transport e d past said point, 

a description extractor, associat e d with said transport data monitor, for 
e xtracting d e scriptions of said data b e ing transport e d, 

a database of at l e ast on e preobtain e d d e scription of content stored in a 
cont e nt databas e associat e d with the n e twork and th e availability of which content 
around said n e twork it is d e sir e d to monitor, wherein said content it is desired to 
monitor is should never sent out of the network, said content being internally 
generated in the network in advance of said extracting, said preobtained description 
being obtained in advance of said extracting descriptions, and 

a — comparator, — configur e d — te — d e termine — wh e ther — said — e xtract e d 
d e scription corr e sponds to any of said at least one pr e obtain e d d e scriptions, said 
determining comprising including assigning a confidence level, said confidence level 
being incremented each time a correspondence with one of said preobtained 
descriptions is found, thereby to allow said system to use said confidence level to 
determine whether said data being transported comprises any of said content whose 
availability around said network it is desired to monitor according to said determining 
and to manage transport of said data by taking no action for a low level of confidence, 
allowing transport with a reduced bandwidth for a medium level of confidence and 
completely stopping said transport for a high level of confidence. 

127. (Currently Amended) A — The system of claim 142, for cont e nt 
monitoring of a local or organizational network, comprising at l e ast one processor and 
an e l e ctronically readabl e m e dium, configured with: 

a databas e of at l e ast on e pr e obtained d e scription of known content 
whos e mov e m e nts it is d e sired to monitor, further comprising 
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a local monitor and control device for detecting and reporting events 
carried out at a local endpoint device in respect of said content and reporting of said 
event, thereby to allow an action to be taken, 

a d e scription e xtractor, associated with said local monitor and control 
d e vic e , for e xtracting d e scriptions of said data being transported, f wherein said 
content for which descriptions are extracted comprises content bemg-internally 
generated in the network in advance of said extracting, said pr e obtain e d description 
b e ing obtain e d in advance of said extracting descriptions) , and 

wherein said a -comparator— Js^configured to determine whether said 
extracted description corresponds to any of said at least one preobtained descriptions, 
by incrementing a confidence level each time a match is found, and to decide, whether 
said data being transported comprises any of said content whose movements it is 
desired to monitor according to said determining, based on said confidence level, 
thereby to allow said system to use said confidence levels to manage transport of said 
data, said managing comprising taking no action for a low level of confidence, 
allowing transport with a reduced bandwidth for a medium level of confidence and 
completely stopping said transport for a high level of confidence. 

128. (Previously Presented) A system according to claim 1, further 
comprising 

a policy determinator connected to said comparator and configured to 
apply rule-based decision of a rule-based decision making unit to select between a set 
of outputs including: removing sensitive parts, altering the content, adding a message 
to said content, not allowing printing of said content, not allowing photocopying of 
said content and not allow saving of said content on portable media. 

129. (Currently Amended) A ^The system of claim 142, for network content 
monitoring comprising: 

at l e ast one proc e ssor and an el e ctronically r e adable medium, 
a transport data monitor, conn e ctablo to a point in a n e twork, for 
monitoring data being transport e d past said point, 
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a d e scription e xtractor, associated with said transport data monitor, for 



a databas e of at least on e proobtain e d d e scription of cont e nt whos e 
mov e m e nts it is d e sired to monitor, and 

a comparator for det e rmining wh e ther said e xtract e d d e scription 
corr e sponds to any of said at least one pr e obtained descriptions, th e r e by to determine 
wh e th e r said data b e ing transported compris e s any of said cont e nt whos e movements 
it is desired to monitor, wherein said data being transported comprising a plurality of 
protocol layers, the system further comprising a layer analyzer connected between 
said transport data monitor and said signature extractor, said layer analyzer 
comprising analyzer modules for at least two of said layers wherein at least one of 
said analyzer modules comprises an encryption detector for determining whether said 
transport data is encrypted, wherein said encryption detector comprises an entropy 
measurement unit for measuring entropy of said monitored transport data. 

130. (Previously Presented) A system according to claim 129, wherein said 
encryption detector is set to recognize a high entropy as an indication that encrypted 
data is present. 

131. (Currently Amended) The A - system of claim 142. for network content 
monitoring, comprising: 

at l e ast one proc e ssor and an electronically readable medium, 

a transport data monitor, connoctablo to a point in a n e twork, for 
monitoring data being transport e d past said point, 

a description e xtractor, associat e d with said transport data monitor, for 
e xtracting d e scriptions of said data b e ing transported, 

a database of at least one preobtained de s cription of content whose 
mov e ments it is desir e d to monitor, and 

a comparator for det e rmining wh e ther said extracted description 
corr e sponds to any of said at l e ast one pr e obtained descriptions, thereby to determine 
wh e th e r said data b e ing transported comprises any of said cont e nt whos e mov e ments 
it is d e sir e d to monitor, wherein said point is associated with a networked photocopier 



e xtracting d e scriptions of said data being transported, 
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and wherein optical earner- character recognition is used in association with said point 
to obtain data for said description extractor, said system being further configured to 
control an output of said photocopier in accordance with said determination. 



132. (Currently Amended) A syst e m for network content monitoring, 
comprising: 

s 

at l e ast on e proc e ssor and an el e ctronically readable medium, 

a transport data monitor, connectabl e to a point in a n e twork, for 
monitoring data being transported past said point, 

a d e scription extractor, associat e d with said transport data monitor, for 
e xtracting d e scriptions of said data being transported, 

a databas e of at l e ast one proobtain e d description of cont e nt whos o 
mov e m e nts it is desir e d to monitor, and 

a comparator for det e rmining wh e ther said extract e d description 
corresponds to any of said at l e ast one preobtain e d d e scriptions, th e reby to determine 
wh e ther said data b e ing transport e d comprises any of said cont e nt whos e mov e ments 
it is d e sir e d to monitor, the The system of claim 142, further comprising a policy 
determinator operable to use a rule-based decision making unit to remove parts of said 
data deemed by said comparator to be sensitive. 

133 - 140. (Cancelled) 

141. (Currently Amended) A syst e m for n e twork cont e nt monitoring, 
comprising: 

at l e ast one proc e ssor and an electronically readabl e m e dium, 

a transport data monitor, connectable to a point in a n e twork, for 
monitoring data b e ing tran s port e d past said point, 

a d e scription extractor, associated with said transport data monitor, for 
e xtracting d e scriptions of said data being transported, 

a database of at l e ast on e preobtain e d d e scription of content whoso 
movements it is d e sir e d to monitor, and 
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a comparator for det e rmining wheth e r said extracted d e scription 
corr e spond s to any of said at least on e pr e obtain e d d e scriptions, th e reby to d e t e rm ine 
wh e th e r said data b e ing transport e d compris e s any of said cont e nt whos e movements 
it is desired to monitor, th e The system of claim 142, being configured to used-use 
said determination to prevent copying onto portable media or printing of said content 
whose movements it is desired to monitor. 

142. (Previously Presented) A system for network content monitoring, 
comprising: 

at least one processor and an electronically readable medium, 

a transport data monitor, connectable to a point in a network, for 
monitoring data being transported past said point, 

a description extractor, associated with said transport data monitor, for 
extracting descriptions of said data being transported, 

a database of at least one preobtained description of content whose 
movements it is desired to monitor, 

a comparator for determining whether said extracted description 
corresponds to any of said at least one preobtained descriptions, thereby to determine 
whether said data being transported comprises any of said content whose movements 
it is desired to monitor, and 

certification recognition functionality to recognize data sources as 
being trustworthy and to allow data transport originating from said trustworthy data 
sources to pass through without monitoring. 

143. (Currently Amended) A system for network cont e nt monitoring, 
comprising: 

at l e ast on e processor and an electronically r e adable medium, 

a transport data monitor, conn e ctabl e to a point in a n e twork, for 

monitoring data being transport e d past said point, 

a d e scription extractor, associat e d with said transport data monitor, for 

extracting d e scriptions of said data being transported, 
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a database of at least on e preobtainod description of content whose 
mov e m e nts it is desir e d to monitor, 

a comparator for d e t e rmining wheth e r said e xtracted d e scription 
corr e sponds to any of said at l e ast on e pr e obtain e d descriptions, thereby to det e rm ifte 
wh e th e r said data b e ing transport e d comprises any of said content whoso mov e m e nts 
it is d e sir e d to monitor. The system of claim 142. wherein said description extractor is 
configured to extract said descriptors using only partial basic decoding of said data. 



